Office (OLE) / .XLS malware analysis — malicious · 8168819cb693a3a0

MALICIOUS

Office (OLE) / .XLS

64.0 KB Created: 2020-04-13 07:35:51 Authoring application: Microsoft Excel

MD5: 37e01a36f66ba64f39112a61903c9e91 SHA-1: bce66bde52ea88c7f42d50fa4c3db539a853d5c5 SHA-256: 8168819cb693a3a04f771ee119ca00e631a74f09419ad295c5088f1e7a430e98

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The XLS file contains VBA macros that utilize WScript.Shell to execute commands. Specifically, the `subb` subroutine calls `CreateObject("WScript.Shell").Run(subs(50, 2, 11988), 0, False)`, indicating an attempt to run an external process. The `subs` function appears to be deobfuscating a command string from cell data, which is then executed. This pattern is commonly used to download and execute further malicious content.

Heuristics 5

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `d4cf269117564a9b19daedf1ce2753fbbcdaa8c8342e9ee8a6f8055bc679edfd`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1387 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.